On 06/26/2017 05:49 AM, Salz, Rich via openssl-dev wrote: > We welcome your input.
Here is an observation plus some suggestions: Using the word "entropy" in this context is unhelpful. Normally, entropy means something very specific, in which case using entropy to design and explain your RNG is a bad idea. I can exhibit a distribution that has provably infinite entropy, even though you can guess the exact output more than 25% of the time. If perhaps you mean something else, calling it "entropy" is an even worse idea. It is likely that readers will misunderstand what is written. I am quite aware that the word appears in kernel source, but that doesn't make it right. It is used inconsistently, and AFAICT none of the possible interpretations is really correct. Note: The real issue here it not the terminology. Ideas are primary and fundamental; terminology is tertiary. Terminology is only important insofar as it helps us formulate and communicate the ideas. There are at least five different ideas that need to be understood: 1) The randomness of an ideal PRNG. 2) The randomness of an ideal TRNG aka HRNG. 3) The opposite, i.e. pure determinism. 4) Squish, which is neither reliably predictable nor reliably unpredictable. 5) Combinations of the above. Suggestion: Get rid of every mention of "entropy" from openssl code, documentation, design discussions, and everywhere else. Suggestion: In the common case where exact meaning is not important, "entropy" can be replaced by a noncommittal nontechnical word such as "randomness". Even so, it should be clearly documented that this term is not meant to be quantitative. Suggestion: If you mean for something to be hard for the attacker to guess, the word "adamance" can be used. This can be quantified in terms of the Rényi H_∞ functional, plus some additional attention to detail (including specifying that it is a functional of the attacker's macrostate, not anybody else's). Suggestion: In the remaining cases, which are not rare, it is important to take a step back and figure out what is the actual idea that is being (or should be) discussed. This will not be easy, but it must be done, line by line. Otherwise the whole enterprise is likely to be a waste of time. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev